diff options
| author | Patrick McHardy <kaber@trash.net> | 2013-08-27 02:50:13 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-08-27 18:27:44 -0400 |
| commit | 0198230b7705eb2386e53778d944e307eef0cc71 (patch) | |
| tree | 0f1a970873df8a3dd3c1111020b6555e8f8d0518 /net/ipv4 | |
| parent | 41d73ec053d2424599c4ed8452b889374d523ade (diff) | |
net: syncookies: export cookie_v4_init_sequence/cookie_v4_check
Extract the local TCP stack independant parts of tcp_v4_init_sequence()
and cookie_v4_check() and export them for use by the upcoming SYNPROXY
target.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: David S. Miller <davem@davemloft.net>
Tested-by: Martin Topholm <mph@one.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/syncookies.c | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c index b05c96e7af8b..14a15c49129d 100644 --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c | |||
| @@ -160,26 +160,33 @@ static __u16 const msstab[] = { | |||
| 160 | * Generate a syncookie. mssp points to the mss, which is returned | 160 | * Generate a syncookie. mssp points to the mss, which is returned |
| 161 | * rounded down to the value encoded in the cookie. | 161 | * rounded down to the value encoded in the cookie. |
| 162 | */ | 162 | */ |
| 163 | __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) | 163 | u32 __cookie_v4_init_sequence(const struct iphdr *iph, const struct tcphdr *th, |
| 164 | u16 *mssp) | ||
| 164 | { | 165 | { |
| 165 | const struct iphdr *iph = ip_hdr(skb); | ||
| 166 | const struct tcphdr *th = tcp_hdr(skb); | ||
| 167 | int mssind; | 166 | int mssind; |
| 168 | const __u16 mss = *mssp; | 167 | const __u16 mss = *mssp; |
| 169 | 168 | ||
| 170 | tcp_synq_overflow(sk); | ||
| 171 | |||
| 172 | for (mssind = ARRAY_SIZE(msstab) - 1; mssind ; mssind--) | 169 | for (mssind = ARRAY_SIZE(msstab) - 1; mssind ; mssind--) |
| 173 | if (mss >= msstab[mssind]) | 170 | if (mss >= msstab[mssind]) |
| 174 | break; | 171 | break; |
| 175 | *mssp = msstab[mssind]; | 172 | *mssp = msstab[mssind]; |
| 176 | 173 | ||
| 177 | NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESSENT); | ||
| 178 | |||
| 179 | return secure_tcp_syn_cookie(iph->saddr, iph->daddr, | 174 | return secure_tcp_syn_cookie(iph->saddr, iph->daddr, |
| 180 | th->source, th->dest, ntohl(th->seq), | 175 | th->source, th->dest, ntohl(th->seq), |
| 181 | jiffies / (HZ * 60), mssind); | 176 | jiffies / (HZ * 60), mssind); |
| 182 | } | 177 | } |
| 178 | EXPORT_SYMBOL_GPL(__cookie_v4_init_sequence); | ||
| 179 | |||
| 180 | __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) | ||
| 181 | { | ||
| 182 | const struct iphdr *iph = ip_hdr(skb); | ||
| 183 | const struct tcphdr *th = tcp_hdr(skb); | ||
| 184 | |||
| 185 | tcp_synq_overflow(sk); | ||
| 186 | NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESSENT); | ||
| 187 | |||
| 188 | return __cookie_v4_init_sequence(iph, th, mssp); | ||
| 189 | } | ||
| 183 | 190 | ||
| 184 | /* | 191 | /* |
| 185 | * This (misnamed) value is the age of syncookie which is permitted. | 192 | * This (misnamed) value is the age of syncookie which is permitted. |
| @@ -192,10 +199,9 @@ __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) | |||
| 192 | * Check if a ack sequence number is a valid syncookie. | 199 | * Check if a ack sequence number is a valid syncookie. |
| 193 | * Return the decoded mss if it is, or 0 if not. | 200 | * Return the decoded mss if it is, or 0 if not. |
| 194 | */ | 201 | */ |
| 195 | static inline int cookie_check(struct sk_buff *skb, __u32 cookie) | 202 | int __cookie_v4_check(const struct iphdr *iph, const struct tcphdr *th, |
| 203 | u32 cookie) | ||
| 196 | { | 204 | { |
| 197 | const struct iphdr *iph = ip_hdr(skb); | ||
| 198 | const struct tcphdr *th = tcp_hdr(skb); | ||
| 199 | __u32 seq = ntohl(th->seq) - 1; | 205 | __u32 seq = ntohl(th->seq) - 1; |
| 200 | __u32 mssind = check_tcp_syn_cookie(cookie, iph->saddr, iph->daddr, | 206 | __u32 mssind = check_tcp_syn_cookie(cookie, iph->saddr, iph->daddr, |
| 201 | th->source, th->dest, seq, | 207 | th->source, th->dest, seq, |
| @@ -204,6 +210,7 @@ static inline int cookie_check(struct sk_buff *skb, __u32 cookie) | |||
| 204 | 210 | ||
| 205 | return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0; | 211 | return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0; |
| 206 | } | 212 | } |
| 213 | EXPORT_SYMBOL_GPL(__cookie_v4_check); | ||
| 207 | 214 | ||
| 208 | static inline struct sock *get_cookie_sock(struct sock *sk, struct sk_buff *skb, | 215 | static inline struct sock *get_cookie_sock(struct sock *sk, struct sk_buff *skb, |
| 209 | struct request_sock *req, | 216 | struct request_sock *req, |
| @@ -284,7 +291,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, | |||
| 284 | goto out; | 291 | goto out; |
| 285 | 292 | ||
| 286 | if (tcp_synq_no_recent_overflow(sk) || | 293 | if (tcp_synq_no_recent_overflow(sk) || |
| 287 | (mss = cookie_check(skb, cookie)) == 0) { | 294 | (mss = __cookie_v4_check(ip_hdr(skb), th, cookie)) == 0) { |
| 288 | NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED); | 295 | NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED); |
| 289 | goto out; | 296 | goto out; |
| 290 | } | 297 | } |